National Harbor, Md. -- Corporate employees who help carry out cyberattacks are increasingly being sought and are seeking criminals to hire them, a Gartner analyst told a group at the consulting firm’s Security and Risk Management Summit.

A group of 60 CIOs and CISOs she worked with say this recruitment is more active and becoming a larger concern because of their use of the Dark Web to sell their services, says Gartner analyst Avivah Litan.

She showed a screenshot of a Dard Web chat room in which a bank employee was seeking help to acquire and distribute a banking Trojan. An established criminal was trying to recruit the employee into a larger scheme.

“There’s lots of disgruntled employees out there,” she says. “They log onto TOR and make their service available.”

She introduced Rich Malewicz, the CIO Livingston County, Mich., who uncovered a ring of county employees pirating movies and stealing county data that included his own IT manager. The manager, who was actually leading the investigation into the piracy, and three others were caught and fired.

He caught on to the criminal activity because an employee notified him that when she came in in the morning her computer was on and she had turned it off when she left. It had also been moved.

He discovered via logs that an IT tech, who had been coming in late, leaving early and playing video games on county time, had come in at 3:30 to use the machine.

He used a tool from Observeit to track and record activity of the criminals, leading to their firing and criminal charges.

But catching insiders requires a range of tools and methods starting with scrutinizing personal interactions. Litan says she knows of a nuclear power entity that does quarterly three-hour interviews with key employees to monitor their personal situations. Have they been arrested for drunk driving? Are they getting divorced? Has the quality of their work slipped? These can indicate someone ripe for insider abuse.

Beyond that, businesses have to use detection and analysis tools to track these threat actors, she says. It’s data driven by monitoring structured and unstructured data, email, and chats on the Dark Web.

Analysis falls into four categories: descriptive, diagnostic, predictive and prescriptive. The first two try to answer what is happening and why. The third tries to project what will be stolen or tampered with and how that will happen. The final analysis tells what to do about the problem to prevent actual attacks.

About 80% of these insiders can be caught using rules and monitoring employees’ behaviors and the pressures they face in their personal lives, she says. The other 20% can be uncovered using anomaly detection tools that reveal how they stray from their routine, authorized use of the network.

Litan says insiders who compromise security fall into three categories, pawns, collaborators and lone wolves. The first are often unaware they are involved, having fallen prey to spear phishing that compromised their machines. Collaborators work knowingly with outside parties to compromise networks and data and lone wolves act independently, sometimes with just low-level privileges but also with broad privileges, such as NSA leaker Edward Snowden.

To spot low-level insiders who have gone bad security pros should look for keywords they search for and IP addresses and URLs they seek out on the Dark Web. For more advanced rogue insiders, using HR resource sand outside information like bankruptcy filings and monitoring underground chats may be called for.

Catching the most serious threat actors may require machine learning applied to this data in order to make connections between individuals and recruitment attempts, for example, that might not be apparent to less sophisticated tools.

Even as these analysis technologies improve, though, there are some case in which human monitoring and investigation of individuals is the only way to catch them, she says. “Technology will never detect a trusted insider doing normal things,” Litan says. “You need people involved.”

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.